Method: legacy.legacySearchAssetEvents

Full name: projects.locations.instances.legacy.legacySearchAssetEvents

Legacy endpoint for getting events for a given asset.

HTTP request

GET https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacySearchAssetEvents

Path parameters

Parameters
instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Query parameters

Parameters
assetIndicator

object (AssetIndicator)

Required. The asset to return events for.
timeRange

object (Interval)

Required. The time range of the events to return [inclusive start time, exclusive end time).
maxResults

integer

The maximum number of events to return. The service may return fewer than this value. If unspecified, at most 10,000 events will be returned. The maximum value is 100,000; values above 100,000 will be coerced to 100,000.
referenceTime

string (Timestamp format)

The time used to alias indicator and fetch results of the asset.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Request body

The request body must be empty.

Response body

Returns searched for events grouped into different categories.

If successful, the response body contains data with the following structure:

JSON representation 
{
  "results": [
    {
      object (SearchResult)
    }
  ],
  "alerts": [
    {
      object (AssetAlertEvent)
    }
  ],
  "ip_network_events": [
    {
      object (IpNetworkEvent)
    }
  ],
  "edr_events": [
    {
      object (AssetEdrEvent)
    }
  ],
  "typed_user_events": [
    {
      object (UserEvent)
    }
  ],
  "md5_file_hashes": [
    string
  ],
  "sha1_file_hashes": [
    string
  ],
  "sha256_file_hashes": [
    string
  ],
  "total_records": string,
  "too_many_results": boolean
}
Fields
results[]

object (SearchResult)

A list of network events along with associated domains. Sorted in ASC order of SearchResult.timestamp
alerts[]

object (AssetAlertEvent)

A list of alerts events for the given indicator and time range. Sorted in ASC order of AssetAlertEvent.timestamp.
ip_network_events[]

object (IpNetworkEvent)

A list of network events with associated destination ip that do not have domain. Sorted ASC order of IpNetworkEvent.timestamp
edr_events[]

object (AssetEdrEvent)

A list of EDR events. Sorted ASC order of AssetEdrEvent.timestamp.
typed_user_events[]

object (UserEvent)

A list of User Events. Sorted ASC order of UserEvent.timestamp.
md5_file_hashes[]

string

All unique md5 file hashes within all events being returned.
sha1_file_hashes[]

string

All unique sha1 file hashes within all events being returned.
sha256_file_hashes[]

string

All unique sha256 file hashes within all events being returned.
total_records

string (int64 format)

The total number of records matching the request.
too_many_results

boolean

Whether the request results in more records than those specified in the max_results field.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

  • chronicle.legacies.legacySearchAssetEvents

For more information, see the IAM documentation.